Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Embedded app Auth0 flow

Embedded app Auth0 flow

brodriguez98
Visitor
2 0 0

Hi,

 

I already have a working public app which performs the initial Auth0 installation flow, and the shops offline access token is stored in my database. I also have a working proxy which sends calls from storefront to my server, and I can successfully verify the Shopify generated signature coming from the proxy, and retrieve the corresponding shops access token to make requests to the Admin API.

 

Now I want to make calls from my embedded app to my server and then to the Shopify Admin API. The only difference between this process and the process from a storefront is that on the storefront I have to use a proxy, which adds a signature onto my request so that I can perform HMAC verification. 

 

Should I do a similar process when making calls from my embedded application, and if so how?

 

I followed a Node.js and React tutorial in part to get to where I am, and as I have it working, my embedded app already has access my apps' API_KEY and SHOP_ORIGIN. So I technically could simply send a POST request to my server from the embedded app, sending the SHOP_ORIGIN, then in my server query my database for the corresponding shops offline_token, and with that make a call to the Admin API. However it feels like I'm skipping some sort of a verification step (like the signature for app proxies). In order for this to work I need an endpoint on my server which just takes a SHOP_ORIGIN and can make any Admin API request with only that, in which case why do I even need to verify signatures for an app proxy? 

 

Should I?

- Generate an online access token everytime an embedded app is created and use that instead of the offline access token (since I have access to my apps' API_KEY in my embedded app)?

 

If so, what is the redirect_uri in this context?

Reply 1 (1)

SBD_
Shopify Staff
1831 273 420

Given the embedded app is loading an app from your server, you could create a session on the initial load (once you validate the request), and then check the session on API requests, something like:

 

// On app load, validate the request and then:
session['shop'] = 'some-shop.myshopify.com'

// On API request
if (session['shop']) { ...

Scott | Developer Advocate @ Shopify